More CISOs are dissatisfied with the role today than ever before, with studies showing that a high number of security chiefs (75%) are interested in a job change.
What gives? Researchers, advisors and CISOs themselves cite a litany of reasons for the current discontentment, ranging from a lack of executive support to the increased level of liability created by recently enacted security regulations like those implemented recently by the US Securities and Exchange Commission (SEC).
It doesn’t help that in several recent incidents, CISOs have been held legally personally responsible for the handling and reporting of breaches, in particular the high-profile case of former Uber CISO Joe Sullivan, who was sentenced to three years of probation for felony obstruction and misprision for not reporting a 2016 breach.
“The way the role is scoped today is set up for failure,” says Nick Shevelyov, an executive leader with 25 years of cybersecurity, IT, data privacy and risk management experience who now provides cybersecurity consulting and advisory services.
But Shevelyov and others say that doesn’t have to be the case. Executives, directors and CISOs themselves can push for improvements in the scope of the role to make the position primed for success instead, which in turn would mean both increased job satisfaction and — perhaps more importantly — more secure organizations.
“This is a time of great challenge and also a time of great opportunity,” says Steven Martano, a partner at recruiting firm Artico Search.
Dissatisfaction, burnout, and their consequences for CISOs
The State of the CISO 2023-2024 Report, from IANS Research and Artico Search, found that CISO job satisfaction sits at 64%, down from 74% in 2022 and 69% in 2021. The percentage of CISOs open to changing jobs is 75%. The 2023 Voice of the CISO report, from security software company Proofpoint also uncovered some troubling figures, revealing that 73% of US CISOs experienced burnout in the prior year.
Meanwhile, the Cybersecurity Burnout Survey: Quick Read Report from Wakefield Research on behalf of security software maker Devo Technology found that 83% of the security professionals it surveyed said they or someone in their departments had made an error in their roles that resulted in a security breach due to burnout. Some 77% said their stress levels at work have had a direct impact on keeping private customer data safe. And 85% admitted that they would have to switch their roles, leave their companies, or leave both their companies and switch careers in the upcoming year as a result of burnout.
All that, experts say, is leading to churn. The average tenure for a CISO is only 18 to 26 months (well under the general C-suite tenure of 4.9 years), according to the CISO Workforce and Headcount 2023 Report from Cybersecurity Ventures.
Furthermore, research firm Gartner estimates that nearly half of cybersecurity leaders will change roles by 2025, with 25% transitioning to different positions due to work-related stressors.
What’s driving CISO dissatisfaction?
It would be easy to only blame the stressful nature of security work for such figures, especially as the volume and velocity of threats increase as the amount of infrastructure and data requiring protection expands.
But that would be an oversimplification, says Chris Mixter, a Gartner vice president and analyst. After all, the typical CISO advanced to the top security spot after years of working in the security profession and is used to the pressure, long hours, and all-hands-on-deck moments. They’re mission-driven, and they’re well aware of the high stakes.
Rather, CISOs most often point to organizational issues as the cause of their dissatisfaction, Mixter and other sources say.
One such issue relates to the CISO’s place in their organization. Many continue to fight for the proverbial seat at the executive or board table, saying they’re not yet equally included in strategic decisions and do not have the visibility and communication with the most senior executives and the board of directors that they believe is required.
Consequently, many CISOs say they don’t have the executive alignment and buy-in on the security measures, risk-mitigation efforts, and funding to deliver those that they require. That leads to CISOs being pulled in too many directions, with too little ability to appropriately prioritize where they spend their time and resources.
Lack of C-suite support can be frustrating
“The reason for dissatisfaction is the lack of executive management support,” says Nikolay Chernavsky, CISO of ISSQUARED, which provides managed IT and security services as well as software products. He says he hears CISOs voice frustrations when their views on required security measures and acceptable risk are dismissed; when the board and CEO don’t define their positions on those issues; or when those leaders don’t recognize the CISOs work in reducing risk — especially as the CISO faces more accountability and liability.
Understandably, CISOs shy away from interview requests to publicly share their frustrations on these issues. However, the IANS Research report speaks to these points, noting, for example, that only 36% of CISOs said they have clear guidance from their board on their risk tolerance.
Adding to these issues today is the liability that CISOs now face with the new US Securities and Exchange Commission (SEC) cyber disclosure rules as well as other regulatory and legal requirements. That increased liability is coupled with the fact that many CISOs are not covered by their organization’s directors and officers (D&O) liability insurance. (Many corporations do not consider CISOs as corporate officers, despite the “officer” part of their title.)
These dynamics leave a widening gap between the accountability for security decisions and the authority that CISOs have to actually enact those decisions, says Shevelyov, author of “Cyber War…and Peace: Building Digital Trust Today with History as Our Guide”.
Longtime security leaders say those dynamics, along with that gap between accountability and authority, are driving the dissatisfaction, burnout, and churn in the market. “The core problem is the CISOs feeling a lack of support, and particularly meaningful support, from the organization,” says IANS Research senior research director Nick Kakolowski. “CISOs feel like they’re operating on an island, and they’re being scapegoated when something goes wrong.”
Organizations need to change to keep CISOs happy
Security leaders say CEOs, directors and others in the C-suite need to hear that message and then make adjustments if they want to keep their CISOs and ensure their security posture is where it should be.
Those adjustments must close the gap between the high level of accountability CISOs now have and the lower levels of authority they hold in many organizations, Shevelyov says. Closing that gap would, in turn, help get CISOs that full seat at the executive table and other “various stakeholders have skin in the [security] game,” he adds.
It also would help ensure that information from CISOs is accurately presented to the CEO and the board, Shevelyov and others say, something multiple sources stress is a top priority for improving how CISOs view their position and their effectiveness in the role.
“Effective CISOs need a direct line to the board of directors,” Mixter says, explaining that this direct line allows for CISOs and boards to develop and align their understanding of risk, security requirements and the resources required to meet those shared objectives.
Kakolowski agrees, saying “We see when CISOs get regular exposure to the board, the board starts being more aware of security and gives more support to CISOs.”
What CISOs should seek from their organizations
CISOs can – and should – advocate for specific practices, including their inclusion on D&O insurance policies, says Rick Crandall, chair of the cyber committee at the National Cybersecurity Center and co-author of NCC’s 2023 report, “The Great CISO Resignation”.
Crandall says he and NCC also believe that CISOs should have a direct line to the board, including a scheduled executive session with the board (or one of its committees) at least once a year. (They note that other executives, notably the CFO, have such executive sessions where that executive is the only exec with the board to encourage open and frank discussions.)
“There should be an opportunity for the CISO to be asked questions and to answer directly without any curating, and that should be OK with [all the other executives],” adds Crandall, who is also managing partner at Aspen Ventures and a member of multiple boards.
Separating security and IT budgets, succession plans can help
Additionally, CISOs should require standalone security budgets rather than having their funding carved out of the budget of another department such as IT, which helps align accountability and authority, Crandall says.
Mixter also advises CISOs to “be ruthless with their time,” meaning they prioritize the demands for their attention and the relationships they have with others in the organization. As Mixter notes, “now everyone wants CISOs at their table, but CISOs can’t be everything to everybody, and not all relationships are as important as others.”
He further advises CISOs to create succession plans. This, he explains, allows CISOs to develop needed bench strength and, thus, delegate more critical work with confidence it will get done. This move then helps CISOs be more efficient and effective CISOs and, usually, more satisfied in their roles.
“CISOs need a world-class team of reports to be effective,” Mixter says, adding that research confirms “better, stronger performance comes with succession plans. But research shows only about half of CISOs have them in place.”
There is hope — some organizations are addressing CISO concerns
CISOs, senior executives and boards are addressing these issues to varying degrees. Joe Nocera, principal in the cyber risk and regulatory practice at PwC, a professional services firm, says he sees more CISOs cultivating relationships and the business acumen that earns them an equal seat at the executive table. He also sees more CISOs seeking D&O insurance coverage and executive sessions with the board.
Some directors are taking action, too. Katie Swafford, senior manager for digital and cyber content development at the National Association of Corporate Directors, says in a prepared statement that the NACD’s 2023 Board Practices and Oversight Survey found that the CISO is one of the top executives most frequently reporting on cybersecurity to public and private company boards.
Swafford notes that “among companies where technology oversight is most needed, CISOs will find boards are willing to help them grow their business, strategy and finance acumen.”
Still, many CISOs continue to say they struggle for the support and resources they need.
“The CISOs we talk to have brought up the stress of the position and the accountability and how their personal liability has changed significantly,” Nocera says. “There’s a lot more responsibilities in the role today than there were five or 10 years ago. And while I’m seeing more and more CISOs with that seat at the table, others are [only] in the room and on the back bench.”
Mixter says CISOs don’t have to accept that, explaining that those who aren’t satisfied with the level of attention and support that boards and executive teams give to security could walk. As he notes, “supply and demand favors the CISO today.”